US10623184B2 - Smart resource access for decrypted information - Google Patents

Smart resource access for decrypted information Download PDF

Info

Publication number
US10623184B2
US10623184B2 US14/868,801 US201514868801A US10623184B2 US 10623184 B2 US10623184 B2 US 10623184B2 US 201514868801 A US201514868801 A US 201514868801A US 10623184 B2 US10623184 B2 US 10623184B2
Authority
US
United States
Prior art keywords
resource
parameter
program instructions
processors
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/868,801
Other versions
US20170093574A1 (en
Inventor
Daniel F. D'Elena
Anthony E. Martinez
Vanessa V. Michelini
Vishwa Persaud
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US14/868,801 priority Critical patent/US10623184B2/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MARTINEZ, ANTHONY E., MICHELINI, VANESSA V., PERSAUD, VISHWA, D'ELENA, DANIEL F.
Publication of US20170093574A1 publication Critical patent/US20170093574A1/en
Application granted granted Critical
Publication of US10623184B2 publication Critical patent/US10623184B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha

Definitions

  • the present invention relates generally to the field of restricting access to a resource, and more particularly to encrypting the resource until an event transpires and then permitting access to the resource.
  • data cryptography or data encryption is the process of encoding messages or information in such a way that only authorized parties can read the messages or information. Encryption does not of itself prevent interception, but denies the message content to the interceptor.
  • the message or information referred to as plaintext, is encrypted using an encryption algorithm, generating cipher text that can only be read if decrypted. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.
  • a first aspect of the present invention provides a method for protecting a resource.
  • a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible.
  • a processor encrypts the resource.
  • a processor associates the parameter with decryption information for the encrypted resource.
  • a processor sends the encrypted resource to a computing device.
  • a processor determines that the condition of the parameter has been met based on external information regarding the parameter.
  • a processor sends the decryption information to the computing device.
  • a second aspect of the present invention provides a computer program product for protecting a resource.
  • a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible.
  • a processor encrypts the resource.
  • a processor associates the parameter with decryption information for the encrypted resource.
  • a processor sends the encrypted resource to a computing device.
  • a processor determines that the condition of the parameter has been met based on external information regarding the parameter.
  • a processor sends the decryption information to the computing device.
  • a third aspect of the present invention provides a computer system for protecting a resource.
  • a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible.
  • a processor encrypts the resource.
  • a processor associates the parameter with decryption information for the encrypted resource.
  • a processor sends the encrypted resource to a computing device.
  • a processor determines that the condition of the parameter has been met based on external information regarding the parameter.
  • a processor sends the decryption information to the computing device.
  • FIG. 1 illustrates a block diagram depicting a computing environment, according to an embodiment of the present invention.
  • FIG. 2 illustrates a flowchart of the operational steps taken by an authorization program to protect a resource until an event transpires and then to permit access the resource, within the computing environment of FIG. 1 , according to an embodiment of the present invention.
  • FIG. 3 illustrates a block diagram depicting the internal and external components of the server and recipient computing device of FIG. 1 , according to an embodiment of the present invention.
  • aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects may generally be referred to herein as a “circuit,” “module”, or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code/instructions embodied thereon.
  • Embodiments of the present invention disclose an approach to deny access to a resource until a predetermined time frame or triggering event occurs, then to permit access to the resource.
  • Embodiments of the present invention encrypt the resource and then decrypt the resource once a specific triggering event occurs.
  • FIG. 1 illustrates a block diagram of computing environment 100 in accordance with one embodiment of the present invention.
  • FIG. 1 provides an illustration of one embodiment and does not imply any limitations regarding computing environment 100 in which different embodiments may be implemented.
  • computing environment 100 includes, but is not limited to network 102 , server 104 , and computing device 112 .
  • Computing environment 100 may include additional computing devices, servers, computers, components, or additional devices not shown. It should be appreciated FIG. 1 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made.
  • Network 102 may be a local area network (LAN), a wide area network (WAN) such as the Internet, the public switched telephone network (PSTN), any combination thereof, or any combination of connections and protocols support communications between server 104 and vehicle computing device 108 , in accordance with embodiments of the invention.
  • Network 102 may include wired, wireless, or fiber optic connections.
  • Server 104 may be a management server, a web server, or additional electronic device or computing system capable of processing program instructions and receiving and sending data.
  • server 104 may be a laptop computer, tablet computer, netbook computer, personal computer (PC), desktop computer, or any programmable electronic device.
  • server 104 may represent a server computing system utilizing multiple computers as a server system, such as in a cloud computing environment.
  • server 104 represents a computing system utilizing clustered computers and nodes to act as a single pool of seamless resources.
  • server 104 includes authorization program 106 and database 110 .
  • server 104 may include and additional programs, storage devices, or components. Server 104 may include components, as depicted and described in further detail with respect to FIG. 3 .
  • Authorization program 106 controls the process of protecting or limiting access to the resource file 110 , and applying the triggering event which releases the decryption method or key to allow the user permission to access the resource file 110 .
  • a resource can be any document or application which can be created, modified, or viewed on a computing device. Examples of a resource include a deed, a contract, lecture notes, PowerPoint presentations, or any other document which a user decides to apply parameters to the resource in order to limit access to the resource until a specific triggering event has occurred or a time limit has expired.
  • the parameters associates with, or related to these and additional resources can be, for example, accessible by the parties which have access to the resource or the parameters can be hidden from the parties which have access to the resource.
  • triggering event parameters are the events which access function 106 uses to determine when the resource can be made accessible to the users.
  • the triggering events can be, for example, a predetermined time frame passing, the death of a person, the sale of a house, a financial event such as a drop or spike in stock prices, an emergency situation, the conclusion of a conference or class, or any event which can transpire which authorization program 106 is able to gather information about, or which a third party can inform authorization program 106 has occurred.
  • Authorization program 106 informs and/or permits access to the resource to specified users when the triggering event occurs and the resource is accessible.
  • authorization program 106 is located on server 104 .
  • authorization program 106 may be located on additional servers, provided authorization program 106 has access to and/or is accessible to resource file 110 , encryption function 108 , and recipient computing device 112 .
  • authorization program 106 includes encryption function 108 .
  • Encryption function 108 encrypts the resource file 110 and controls the decryption process of the resource when requested to decrypt the resource.
  • the decryption process can be performed by encryption function 108 .
  • the decryption process occurs on the client end, and encryption function 108 supplies the client with the necessary information (e.g., decryption key or password) to decrypt the document or application.
  • Encryption function 108 turns the resource into a protected format through an encryption process.
  • Encryption function 108 can apply a number of different encryption techniques to the resource file 110 to protect the resource file 110 from unapproved access.
  • encryption function 108 performs symmetric encryption. Symmetric encryption scrambles the resource file 110 into an unreadable format.
  • This unreadable format is encrypted and decrypted with a single key, which a substantial number of users who are accessing resource file 110 have access to.
  • symmetric encryption the decryption of resource file 110 is done in a similar method as the encryption with the use of the single key.
  • encryption function performs asymmetric encryption which scrambles resource to an unreadable format, and uses a series of keys.
  • asymmetric encryption there are different types of keys, one type of key is a private key which is not shared, and a public keys which are shared.
  • encryption function 108 uses additional methods of encryption not described to protect resource file 110 from being accessed prior to the parameters being reached or triggering event transpiring.
  • encryption function 108 is located on authorization program 106 .
  • encryption function 108 may be located on additional servers provided authorization program 106 has access to encryption function 108 .
  • encryption function 108 may be a function of additional programs, or a standalone program located on server 104 or an additional server or computing device, provided encryption function 108 is accessible to authorization program 106 .
  • Resource file 110 may be a single file or a group of files which may be written to and/or read by authorization program 106 or encryption function 108 .
  • resource file 110 includes, for example, a resources, at least one triggering event associated with the resource.
  • Resource file 110 can be, for example, the documents or applications which are to be encrypted, or the keys associated with the decryption of the documents or applications.
  • resource file 110 may be written to and/or read by authorization program 106 and/or additional computing devices, servers, computers, components, or additional devices not shown.
  • database 110 is stored on server 104 .
  • database 110 may reside on an alternative server, computer, or computing device, provided database 110 is able to communicate with authorization program 106 and additional devices, programs, and components (not shown).
  • Recipient computing device 112 may be a desktop computer, laptop computer, tablet computer, netbook computer, personal computer (PC), mobile device, or any programmable electronic device capable of communicating with authorization program 106 or resource file 110 via network 102 .
  • Recipient computing device 112 receives either the encrypted resource file 110 , or the decrypted resource file 110 . If recipient computing device 112 receives the encrypted resource file 110 then the recipient cannot access the file until the requirements are met to decrypt resource file 110 .
  • recipient's computing device 112 may be any electronic device or computing system capable of sending and receiving data, and communicating with server 104 via network 102 . In the depicted embodiment, recipient's computing device 112 communicates with server 104 via network 102 .
  • FIG. 2 illustrates a flowchart of the operational steps taken by authorization program 106 to protect a resource through encryption, within computing environment 100 on FIG. 1 , in accordance with an embodiment of the present invention.
  • Flowchart 200 depicts the steps taken by authorization program 106 to apply encryption and triggering event parameters to resource file 110 and monitor resource file 110 until the triggering event parameters have been met, then decrypt resource file 110 for the approved users.
  • FIG. 2 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made.
  • encryption function 108 configures the triggering event.
  • the triggering event may be, for example, a temporal event (e.g., a time period after the start of a conference call, a date/time), a financial event (e.g., a specified stock meeting a certain price), an environmental event (e.g., an earthquake, temperature spike), a personal event (e.g., the birth of a child, the marriage of a person) or another type of event.
  • the triggering event may be any type of real world event that can be monitored.
  • encryption function 108 receives a request from a user to protect resource file 110 .
  • Encryption function 108 configures the triggering event.
  • Encryption function 108 configures the triggering event associated with resource file 110 .
  • the triggering event is specified by the user attempting to encrypt resource file 110 .
  • a triggering event describes a triggering event, time period, or other set of one or more parameters which must be met before decryption of resource file 110 is allowed.
  • Encryption function 108 incorporates the triggering event, time period, or other parameters which are associated with resource file 110 which need to transpire before the decryption process begins. These parameters can be hidden or public from recipients of the encrypted resource, depending on the preferences of the user or entity that caused resource file 110 to be encrypted by encryption function 108 .
  • the user or another entity informs encryption function 108 of the triggering event which must transpire for the decryption to begin.
  • configuring the triggering event results in encryption function 108 monitoring the resource and the triggering event (see step 208 ). For example, if the triggering event specifies that “Stock A” must reach a specified price before the decryption key for the encrypted resource may be released, then encryption function 108 may monitor the stock market, and more specifically, the sale price of “Stock A” until the specified price has been reached.
  • the triggering event may be the marriage of a person.
  • encryption function 108 may configure the triggering event to monitor local newspapers or other informational databases or resources that could include text information regarding the marriage of the person, such as, for example, a wedding announcement in the local newspaper. Based on the specific triggering event and the parameters associated with the triggering event to cause encryption function 108 to decrypt the encrypted resource, encryption function 108 may monitor a variety of resources, and select which resources to monitor when configuring the triggering event.
  • encryption function 108 encrypts the resource.
  • Encryption function 108 may receive encryption parameters specifying a desired type of encryption for to apply to resource file 110 .
  • Encryption function 108 applies the desired type of encryption to resource file 110 , e.g., symmetrical, asymmetrical, or another form of encryption.
  • encryption function 108 performs the type of encryption specified by a user or another entity.
  • encryption function 108 selects the type of encryption.
  • Encryption function 108 uses the configure encryption parameters to perform the intended encryption method and/or process.
  • the encryption parameters can be symmetrical encryption, asymmetrical encryption, or another form of encryption.
  • encryption function 108 Upon encrypting the resource, encryption function 108 associates the decryption information (e.g., decryption key) with the previously configured triggering event such that encryption function 108 does not release the decryption information until the triggering event parameter(s) have been met.
  • decryption information e.g., decryption key
  • encryption function 108 distributes the encrypted resource. Encryption function 108 distributes the encrypted resource to the intended destinations or recipients. In additional embodiments, encryption function 108 distributes the encrypted resource to recipient computing device 112 or another database or repository. In additional embodiments, encryption function 108 informs the recipient that the encrypted resource has be distributed to recipient computing device 112 .
  • encryption function 108 monitors the triggering event.
  • the trigger event can be, for example, the passage of a set amount of time, a specific date has been reached, a user has approved the release of the decryption method/key, or another criteria has been reached.
  • encryption function 108 monitors the triggering event using keyword search using natural language processing (NLP) or semantic analysis to the content to identify a subject for the reference.
  • NLP natural language processing
  • encryption function 108 monitors the trigger event using various natural language processing techniques on the text regarding the triggering event.
  • encryption function 108 performs natural language processing including semantic typing with n-gram analysis.
  • encryption function 108 searches for the specified triggering event through keyword searches, optimization processes, or other forms of monitoring processes which scan repositories and computing devices connected to network 102 for information related to the specified triggering event. This information can be, for example, an obituary in a newspaper or other database, a stock price reaching a predetermined value, or the sending of an email to employees within a corporation. Encryption function 108 may, for example, gain access to repositories or additional computing devices connected to network 102 to determine that a specific triggering event has occurred, or that a time limit specified by the triggering event has expired. In additional embodiments, encryption function 108 monitors resource file 110 and the triggering event to determine if premature attempts are made to access resource file 110 .
  • encryption function 108 determine if the triggering event has occurred. Encryption function 108 determines if the triggering event has occurred/expired based on the information obtained from monitoring the triggering event (see step 208 ). In one embodiment, encryption function 108 uses natural language processing as described in step 208 to determine if the triggering event has occurred. If encryption function 108 determines the triggering event has occurred (YES branch, proceed to decision 212 ), encryption function 108 proceeds to release the decryption method or key. If encryption function 108 determines the triggering event has not occurred (NO branch, proceed to decision 208 ), encryption function 108 continues to monitor for the triggering event to occur.
  • encryption function 108 release the decryption method or key. Once encryption function 108 determines the required triggering event has occurred, encryption function 108 releases the decryption method or key to the preapproved recipient via network 102 to recipient's computing device 112 . The recipient then has access to decrypt resource file 110 and view resource file 110 . In one embodiment, encryption function 108 releases the decryption method or key for a predetermined time period before the decryption method or key expires and after the expiration of the decryption method or key, the recipient can no longer view resource file 110 . In additional embodiments, the decryption method or key expires after a specified number of uses (e.g., uses of the key to access the resource).
  • encryption function 108 decrypts resource file 110 and sends the decrypted resource to recipient's computing device 112 . In additional embodiments, encryption function 108 decrypts resource file 110 and alerts the recipients as well as send the decrypted resource to recipient's computing device 112 .
  • FIG. 3 depicts a block diagram 300 of components of server 104 and recipient computing device 112 , in accordance with an illustrative embodiment of the present invention. It should be appreciated FIG. 3 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made.
  • Server 104 and recipient computing device 112 includes communications fabric 302 , which provides communications between computer processor(s) 304 , memory 306 , persistent storage 308 , communications unit 310 , and input/output (I/O) interface(s) 312 .
  • Communications fabric 302 may be implemented with any architecture designed for passing data and/or control information between processors (such as microprocessors, communications and network processors, etc.), system memory, peripheral devices, and any additional hardware components within a system.
  • processors such as microprocessors, communications and network processors, etc.
  • Communications fabric 302 may be implemented with one or more buses.
  • Memory 306 and persistent storage 308 are computer-readable storage media.
  • memory 306 includes random access memory (RAM) and cache memory 314 .
  • RAM random access memory
  • cache memory 314 In general, memory 306 may include any suitable volatile or non-volatile computer-readable storage media.
  • Memory 306 is stored for execution by one or more of the respective computer processors 304 of server 104 and recipient computing device 112 via one or more memories of memory 306 of server 104 and recipient computing device 112 .
  • persistent storage 308 includes a magnetic hard disk drive.
  • persistent storage 308 may include a solid state hard drive, a semiconductor storage device, read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, or any additional computer-readable storage media that is capable of storing program instructions or digital information.
  • the media used by persistent storage 308 may also be removable.
  • a removable hard drive may be used for persistent storage 308 .
  • Additional examples include optical and magnetic disks, thumb drives, and smart cards that are inserted into a drive for transfer onto another computer-readable storage medium that is also part of persistent storage 308 .
  • Communications unit 310 in the examples, provides for communications with additional data processing systems or devices, including server 104 and recipient computing device 112 .
  • communications unit 310 includes one or more network interface cards.
  • Communications unit 310 may provide communications through the use of either or both physical and wireless communications links.
  • I/O interface(s) 312 allows for input and output of data with additional devices that may be connected to server 104 and recipient computing device 112 .
  • I/O interface 312 may provide a connection to external devices 316 such as a keyboard, keypad, camera, a touch screen, and/or some additional suitable input device.
  • external devices 316 may also include portable computer-readable storage media such as, for example, thumb drives, portable optical or magnetic disks, and memory cards.
  • authorization program 106 and encryption function 108 may each be stored on such portable computer-readable storage media and may be loaded onto persistent storage 308 of server 104 and recipient computing device 112 via I/O interface(s) 312 of server 104 and recipient computing device 112 .
  • I/O interface(s) 312 also connect to a display 318 .
  • Display 318 provides a mechanism to display data to a user and may be, for example, a computer monitor.
  • the present invention may be a system, a method, and/or a computer program product.
  • the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
  • the computer readable storage medium may be a tangible device that may retain and store instructions for use by an instruction execution device.
  • the computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing.
  • a non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing.
  • RAM random access memory
  • ROM read-only memory
  • EPROM or Flash memory erasable programmable read-only memory
  • SRAM static random access memory
  • CD-ROM compact disc read-only memory
  • DVD digital versatile disk
  • memory stick a floppy disk
  • a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon
  • a computer readable storage medium is not to be construed as being transitory signals per se, such as radio waves or additional freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or additional transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.
  • Computer readable program instructions described herein may be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • the network may include copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers.
  • a network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
  • Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
  • the computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, to perform aspects of the present invention.
  • the computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or additional programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or additional programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • the computer readable program instructions may also be stored in a computer readable storage medium that may direct a computer, a programmable data processing apparatus, and/or additional devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer readable program instructions may also be loaded onto a computer, additional programmable data processing apparatus, or additional device to cause a series of operational steps to be performed on the computer, additional programmable apparatus or additional device to produce a computer implemented process, such that the instructions which execute on the computer, additional programmable apparatus, or additional device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • each block in the flowchart or block diagrams may represent a module, segment, or table of instructions, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may transpire out of the order noted in the figures.
  • two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Social Psychology (AREA)
  • Storage Device Security (AREA)

Abstract

In an approach for protecting a resource, a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible. A processor encrypts the resource. A processor associates the parameter with decryption information for the encrypted resource. A processor sends the encrypted resource to a computing device. A processor determines that the condition of the parameter has been met based on external information regarding the parameter. A processor sends the decryption information to the computing device.

Description

BACKGROUND
The present invention relates generally to the field of restricting access to a resource, and more particularly to encrypting the resource until an event transpires and then permitting access to the resource.
The use of data cryptography or data encryption is the process of encoding messages or information in such a way that only authorized parties can read the messages or information. Encryption does not of itself prevent interception, but denies the message content to the interceptor. In an encryption scheme, the message or information, referred to as plaintext, is encrypted using an encryption algorithm, generating cipher text that can only be read if decrypted. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.
SUMMARY
A first aspect of the present invention provides a method for protecting a resource. In one embodiment, a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible. In one embodiment, a processor encrypts the resource. In one embodiment, a processor associates the parameter with decryption information for the encrypted resource. In one embodiment, a processor sends the encrypted resource to a computing device. In one embodiment, a processor determines that the condition of the parameter has been met based on external information regarding the parameter. In one embodiment, a processor sends the decryption information to the computing device.
A second aspect of the present invention provides a computer program product for protecting a resource. In one embodiment, a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible. In one embodiment, a processor encrypts the resource. In one embodiment, a processor associates the parameter with decryption information for the encrypted resource. In one embodiment, a processor sends the encrypted resource to a computing device. In one embodiment, a processor determines that the condition of the parameter has been met based on external information regarding the parameter. In one embodiment, a processor sends the decryption information to the computing device.
A third aspect of the present invention provides a computer system for protecting a resource. In one embodiment, a processor receives a resource and a parameter, wherein the parameter indicates a condition upon which the resource will be made accessible. In one embodiment, a processor encrypts the resource. In one embodiment, a processor associates the parameter with decryption information for the encrypted resource. In one embodiment, a processor sends the encrypted resource to a computing device. In one embodiment, a processor determines that the condition of the parameter has been met based on external information regarding the parameter. In one embodiment, a processor sends the decryption information to the computing device.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
FIG. 1 illustrates a block diagram depicting a computing environment, according to an embodiment of the present invention.
FIG. 2 illustrates a flowchart of the operational steps taken by an authorization program to protect a resource until an event transpires and then to permit access the resource, within the computing environment of FIG. 1, according to an embodiment of the present invention.
FIG. 3 illustrates a block diagram depicting the internal and external components of the server and recipient computing device of FIG. 1, according to an embodiment of the present invention.
 DETAILED DESCRIPTION
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects may generally be referred to herein as a “circuit,” “module”, or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code/instructions embodied thereon.
Embodiments of the present invention disclose an approach to deny access to a resource until a predetermined time frame or triggering event occurs, then to permit access to the resource. Embodiments of the present invention encrypt the resource and then decrypt the resource once a specific triggering event occurs.
The present invention will now be described in detail with reference to the Figures.
FIG. 1 illustrates a block diagram of computing environment 100 in accordance with one embodiment of the present invention. FIG. 1 provides an illustration of one embodiment and does not imply any limitations regarding computing environment 100 in which different embodiments may be implemented. In the depicted embodiment, computing environment 100 includes, but is not limited to network 102, server 104, and computing device 112. Computing environment 100 may include additional computing devices, servers, computers, components, or additional devices not shown. It should be appreciated FIG. 1 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made.
Network 102 may be a local area network (LAN), a wide area network (WAN) such as the Internet, the public switched telephone network (PSTN), any combination thereof, or any combination of connections and protocols support communications between server 104 and vehicle computing device 108, in accordance with embodiments of the invention. Network 102 may include wired, wireless, or fiber optic connections.
Server 104 may be a management server, a web server, or additional electronic device or computing system capable of processing program instructions and receiving and sending data. In additional embodiments, server 104 may be a laptop computer, tablet computer, netbook computer, personal computer (PC), desktop computer, or any programmable electronic device. In additional embodiments, server 104 may represent a server computing system utilizing multiple computers as a server system, such as in a cloud computing environment. In additional embodiments, server 104 represents a computing system utilizing clustered computers and nodes to act as a single pool of seamless resources. In the depicted embodiment, server 104 includes authorization program 106 and database 110. In additional embodiments, server 104 may include and additional programs, storage devices, or components. Server 104 may include components, as depicted and described in further detail with respect to FIG. 3.
Authorization program 106 controls the process of protecting or limiting access to the resource file 110, and applying the triggering event which releases the decryption method or key to allow the user permission to access the resource file 110. A resource can be any document or application which can be created, modified, or viewed on a computing device. Examples of a resource include a deed, a contract, lecture notes, PowerPoint presentations, or any other document which a user decides to apply parameters to the resource in order to limit access to the resource until a specific triggering event has occurred or a time limit has expired. The parameters associates with, or related to these and additional resources can be, for example, accessible by the parties which have access to the resource or the parameters can be hidden from the parties which have access to the resource. An example of when a parameter may be visible is regarding the releasing of notes or reports from a meeting, so the participants of the meeting know when they can access the information. An example of an instance where the parameters may be hidden is when the resource which is decrypted is sensitive material such as a person's will and testament, or confidential information. The triggering event parameters are the events which access function 106 uses to determine when the resource can be made accessible to the users. The triggering events can be, for example, a predetermined time frame passing, the death of a person, the sale of a house, a financial event such as a drop or spike in stock prices, an emergency situation, the conclusion of a conference or class, or any event which can transpire which authorization program 106 is able to gather information about, or which a third party can inform authorization program 106 has occurred. Authorization program 106 informs and/or permits access to the resource to specified users when the triggering event occurs and the resource is accessible. In the depicted embodiment, authorization program 106 is located on server 104. In additional embodiments, authorization program 106 may be located on additional servers, provided authorization program 106 has access to and/or is accessible to resource file 110, encryption function 108, and recipient computing device 112. In the depicted embodiment, authorization program 106 includes encryption function 108.
Encryption function 108 encrypts the resource file 110 and controls the decryption process of the resource when requested to decrypt the resource. In one embodiment, the decryption process can be performed by encryption function 108. In additional embodiments, the decryption process occurs on the client end, and encryption function 108 supplies the client with the necessary information (e.g., decryption key or password) to decrypt the document or application. Encryption function 108 turns the resource into a protected format through an encryption process. Encryption function 108 can apply a number of different encryption techniques to the resource file 110 to protect the resource file 110 from unapproved access. In one embodiment, encryption function 108 performs symmetric encryption. Symmetric encryption scrambles the resource file 110 into an unreadable format. This unreadable format is encrypted and decrypted with a single key, which a substantial number of users who are accessing resource file 110 have access to. In symmetric encryption the decryption of resource file 110 is done in a similar method as the encryption with the use of the single key. In additional embodiments, encryption function performs asymmetric encryption which scrambles resource to an unreadable format, and uses a series of keys. In asymmetric encryption there are different types of keys, one type of key is a private key which is not shared, and a public keys which are shared. In additional embodiments, encryption function 108 uses additional methods of encryption not described to protect resource file 110 from being accessed prior to the parameters being reached or triggering event transpiring.
In the depicted embodiment, encryption function 108 is located on authorization program 106. In additional embodiments, encryption function 108 may be located on additional servers provided authorization program 106 has access to encryption function 108. In additional embodiments, encryption function 108 may be a function of additional programs, or a standalone program located on server 104 or an additional server or computing device, provided encryption function 108 is accessible to authorization program 106.
Resource file 110 may be a single file or a group of files which may be written to and/or read by authorization program 106 or encryption function 108. In one embodiment, resource file 110 includes, for example, a resources, at least one triggering event associated with the resource. Resource file 110 can be, for example, the documents or applications which are to be encrypted, or the keys associated with the decryption of the documents or applications. In additional embodiments, resource file 110 may be written to and/or read by authorization program 106 and/or additional computing devices, servers, computers, components, or additional devices not shown. In the depicted embodiment, database 110 is stored on server 104. In additional embodiments, database 110 may reside on an alternative server, computer, or computing device, provided database 110 is able to communicate with authorization program 106 and additional devices, programs, and components (not shown).
Recipient computing device 112 may be a desktop computer, laptop computer, tablet computer, netbook computer, personal computer (PC), mobile device, or any programmable electronic device capable of communicating with authorization program 106 or resource file 110 via network 102. Recipient computing device 112 receives either the encrypted resource file 110, or the decrypted resource file 110. If recipient computing device 112 receives the encrypted resource file 110 then the recipient cannot access the file until the requirements are met to decrypt resource file 110. In additional embodiments, recipient's computing device 112 may be any electronic device or computing system capable of sending and receiving data, and communicating with server 104 via network 102. In the depicted embodiment, recipient's computing device 112 communicates with server 104 via network 102.
FIG. 2 illustrates a flowchart of the operational steps taken by authorization program 106 to protect a resource through encryption, within computing environment 100 on FIG. 1, in accordance with an embodiment of the present invention. Flowchart 200 depicts the steps taken by authorization program 106 to apply encryption and triggering event parameters to resource file 110 and monitor resource file 110 until the triggering event parameters have been met, then decrypt resource file 110 for the approved users. It should be appreciated FIG. 2 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made.
In step 202, encryption function 108 configures the triggering event. The triggering event may be, for example, a temporal event (e.g., a time period after the start of a conference call, a date/time), a financial event (e.g., a specified stock meeting a certain price), an environmental event (e.g., an earthquake, temperature spike), a personal event (e.g., the birth of a child, the marriage of a person) or another type of event. In general, the triggering event may be any type of real world event that can be monitored. Initially encryption function 108 receives a request from a user to protect resource file 110. Encryption function 108 configures the triggering event. Encryption function 108 configures the triggering event associated with resource file 110. The triggering event is specified by the user attempting to encrypt resource file 110. As used herein, a triggering event describes a triggering event, time period, or other set of one or more parameters which must be met before decryption of resource file 110 is allowed. Encryption function 108 incorporates the triggering event, time period, or other parameters which are associated with resource file 110 which need to transpire before the decryption process begins. These parameters can be hidden or public from recipients of the encrypted resource, depending on the preferences of the user or entity that caused resource file 110 to be encrypted by encryption function 108. In one embodiment, the user or another entity informs encryption function 108 of the triggering event which must transpire for the decryption to begin.
In some embodiments, configuring the triggering event results in encryption function 108 monitoring the resource and the triggering event (see step 208). For example, if the triggering event specifies that “Stock A” must reach a specified price before the decryption key for the encrypted resource may be released, then encryption function 108 may monitor the stock market, and more specifically, the sale price of “Stock A” until the specified price has been reached. In another example, the triggering event may be the marriage of a person. In such an embodiment, encryption function 108 may configure the triggering event to monitor local newspapers or other informational databases or resources that could include text information regarding the marriage of the person, such as, for example, a wedding announcement in the local newspaper. Based on the specific triggering event and the parameters associated with the triggering event to cause encryption function 108 to decrypt the encrypted resource, encryption function 108 may monitor a variety of resources, and select which resources to monitor when configuring the triggering event.
In step 204, encryption function 108 encrypts the resource. Encryption function 108 may receive encryption parameters specifying a desired type of encryption for to apply to resource file 110. Encryption function 108 applies the desired type of encryption to resource file 110, e.g., symmetrical, asymmetrical, or another form of encryption. In one embodiment, encryption function 108 performs the type of encryption specified by a user or another entity. In additional embodiments, encryption function 108 selects the type of encryption. Encryption function 108 uses the configure encryption parameters to perform the intended encryption method and/or process. The encryption parameters can be symmetrical encryption, asymmetrical encryption, or another form of encryption. Upon encrypting the resource, encryption function 108 associates the decryption information (e.g., decryption key) with the previously configured triggering event such that encryption function 108 does not release the decryption information until the triggering event parameter(s) have been met.
In step 206, encryption function 108 distributes the encrypted resource. Encryption function 108 distributes the encrypted resource to the intended destinations or recipients. In additional embodiments, encryption function 108 distributes the encrypted resource to recipient computing device 112 or another database or repository. In additional embodiments, encryption function 108 informs the recipient that the encrypted resource has be distributed to recipient computing device 112.
In step 208, encryption function 108 monitors the triggering event. The trigger event can be, for example, the passage of a set amount of time, a specific date has been reached, a user has approved the release of the decryption method/key, or another criteria has been reached. In one embodiment, encryption function 108 monitors the triggering event using keyword search using natural language processing (NLP) or semantic analysis to the content to identify a subject for the reference In additional embodiments, encryption function 108 monitors the trigger event using various natural language processing techniques on the text regarding the triggering event. In yet another embodiment, encryption function 108 performs natural language processing including semantic typing with n-gram analysis. In additional embodiments, encryption function 108 searches for the specified triggering event through keyword searches, optimization processes, or other forms of monitoring processes which scan repositories and computing devices connected to network 102 for information related to the specified triggering event. This information can be, for example, an obituary in a newspaper or other database, a stock price reaching a predetermined value, or the sending of an email to employees within a corporation. Encryption function 108 may, for example, gain access to repositories or additional computing devices connected to network 102 to determine that a specific triggering event has occurred, or that a time limit specified by the triggering event has expired. In additional embodiments, encryption function 108 monitors resource file 110 and the triggering event to determine if premature attempts are made to access resource file 110.
In decision 210, encryption function 108 determine if the triggering event has occurred. Encryption function 108 determines if the triggering event has occurred/expired based on the information obtained from monitoring the triggering event (see step 208). In one embodiment, encryption function 108 uses natural language processing as described in step 208 to determine if the triggering event has occurred. If encryption function 108 determines the triggering event has occurred (YES branch, proceed to decision 212), encryption function 108 proceeds to release the decryption method or key. If encryption function 108 determines the triggering event has not occurred (NO branch, proceed to decision 208), encryption function 108 continues to monitor for the triggering event to occur.
In step 212, encryption function 108 release the decryption method or key. Once encryption function 108 determines the required triggering event has occurred, encryption function 108 releases the decryption method or key to the preapproved recipient via network 102 to recipient's computing device 112. The recipient then has access to decrypt resource file 110 and view resource file 110. In one embodiment, encryption function 108 releases the decryption method or key for a predetermined time period before the decryption method or key expires and after the expiration of the decryption method or key, the recipient can no longer view resource file 110. In additional embodiments, the decryption method or key expires after a specified number of uses (e.g., uses of the key to access the resource). In additional embodiments, the decryption method or key does not expire. In additional embodiments, encryption function 108 decrypts resource file 110 and sends the decrypted resource to recipient's computing device 112. In additional embodiments, encryption function 108 decrypts resource file 110 and alerts the recipients as well as send the decrypted resource to recipient's computing device 112.
FIG. 3 depicts a block diagram 300 of components of server 104 and recipient computing device 112, in accordance with an illustrative embodiment of the present invention. It should be appreciated FIG. 3 provides only an illustration of one implementation and does not imply any limitations with regard to the environments in which different embodiments may be implemented. Many modifications to the depicted environment may be made.
Server 104 and recipient computing device 112 includes communications fabric 302, which provides communications between computer processor(s) 304, memory 306, persistent storage 308, communications unit 310, and input/output (I/O) interface(s) 312. Communications fabric 302 may be implemented with any architecture designed for passing data and/or control information between processors (such as microprocessors, communications and network processors, etc.), system memory, peripheral devices, and any additional hardware components within a system. For example, communications fabric 302 may be implemented with one or more buses.
Memory 306 and persistent storage 308 are computer-readable storage media. In one embodiment, memory 306 includes random access memory (RAM) and cache memory 314. In general, memory 306 may include any suitable volatile or non-volatile computer-readable storage media.
Memory 306 is stored for execution by one or more of the respective computer processors 304 of server 104 and recipient computing device 112 via one or more memories of memory 306 of server 104 and recipient computing device 112. In the depicted embodiment, persistent storage 308 includes a magnetic hard disk drive. Alternatively, or in addition to a magnetic hard disk drive, persistent storage 308 may include a solid state hard drive, a semiconductor storage device, read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, or any additional computer-readable storage media that is capable of storing program instructions or digital information.
The media used by persistent storage 308 may also be removable. For example, a removable hard drive may be used for persistent storage 308. Additional examples include optical and magnetic disks, thumb drives, and smart cards that are inserted into a drive for transfer onto another computer-readable storage medium that is also part of persistent storage 308.
Communications unit 310, in the examples, provides for communications with additional data processing systems or devices, including server 104 and recipient computing device 112. In the examples, communications unit 310 includes one or more network interface cards. Communications unit 310 may provide communications through the use of either or both physical and wireless communications links.
I/O interface(s) 312 allows for input and output of data with additional devices that may be connected to server 104 and recipient computing device 112. For example, I/O interface 312 may provide a connection to external devices 316 such as a keyboard, keypad, camera, a touch screen, and/or some additional suitable input device. External devices 316 may also include portable computer-readable storage media such as, for example, thumb drives, portable optical or magnetic disks, and memory cards. Software and data used to practice embodiments of the present invention, e.g., authorization program 106 and encryption function 108 may each be stored on such portable computer-readable storage media and may be loaded onto persistent storage 308 of server 104 and recipient computing device 112 via I/O interface(s) 312 of server 104 and recipient computing device 112. I/O interface(s) 312 also connect to a display 318.
Display 318 provides a mechanism to display data to a user and may be, for example, a computer monitor.
The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
The computer readable storage medium may be a tangible device that may retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or additional freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or additional transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.
Computer readable program instructions described herein may be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may include copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In additional embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, to perform aspects of the present invention.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, may be implemented by computer readable program instructions.
The computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or additional programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or additional programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. The computer readable program instructions may also be stored in a computer readable storage medium that may direct a computer, a programmable data processing apparatus, and/or additional devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, additional programmable data processing apparatus, or additional device to cause a series of operational steps to be performed on the computer, additional programmable apparatus or additional device to produce a computer implemented process, such that the instructions which execute on the computer, additional programmable apparatus, or additional device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or table of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may transpire out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, may be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

Claims (15)

What is claimed is:
1. A method for protecting a resource, the method comprising:
receiving the resource and a parameter, wherein the parameter indicates a condition under which the resource is made accessible to an entity attempting to access the resource, and wherein the condition of the parameter is an occurrence of a real world event that is not associated with an identity of the entity attempting to access the resource;
encrypting, by one or more processors, the resource;
associating, by one or more processors, the parameter with decryption information for the encrypted resource, wherein the decryption information enables decryption of the encrypted resource without requiring additional information to decrypt the encrypted resource;
sending, by one or more processors, the encrypted resource to a computing device;
detecting, by one or more processors, an access attempt corresponding to the received encrypted resource, wherein the access attempt is made by the entity attempting to access the resource;
determining, by one or more processors, whether the access attempt meets the condition of the parameter by monitoring external information corresponding to the occurrence of the real world event and determining, by one or more processors, that the real world event has occurred based on the external information; and
responsive to determining that the condition of the parameter has been met, sending, by one or more processors, the associated decryption information to the computing device.
2. The method of claim 1, further comprising:
receiving an indication of the encrypted resource which contains information regarding the parameter.
3. The method of claim 1, further comprising:
identifying, by one or more processors, the encrypted resource which contains information regarding the parameter.
4. The method of claim 1, further comprising:
informing, by one or more processors, a user of the computing device, that the decryption information is able to decrypt the encrypted resource.
5. The method of claim 1, further comprising:
subsequent to sending the encrypted resource to the computing device, receiving a request to alter the parameter associated with the decryption information; and
altering, by one or more processors, the parameter.
6. A computer program product for protecting a resource, the computer program product comprising:
one or more computer readable storage media and program instructions stored on the one or more computer readable storage media, the program instructions comprising:
program instructions to receive the resource and a parameter, wherein the parameter indicates a condition under which the resource is made accessible to an entity attempting to access the resource, and wherein the condition of the parameter is an occurrence of a real world event that is not associated with an identity of the entity attempting to access the resource;
program instructions to encrypt the resource;
program instructions to associate the parameter with decryption information for the encrypted resource, wherein the decryption information enables decryption of the encrypted resource without requiring additional information to decrypt the encrypted resource;
program instructions to send the encrypted resource to a computing device;
program instructions to detect an access attempt corresponding to the received encrypted resource, wherein the access attempt is made by the entity attempting to access the resource;
program instructions to determine, whether the access attempt meets the condition of the parameter by monitoring external information corresponding to the occurrence of the real world event and determining, by one or more processors, that the real world event has occurred based on the external information; and
program instructions to, responsive to determining that the condition of the parameter has been met, send, by one or more processors, the associated decryption information to the computing device.
7. The computer program product of claim 6, further comprising:
program instructions, stored on the one or more computer readable storage media, to receive an indication of the encrypted resource which contains information regarding the parameter.
8. The computer program product of claim 6, further comprising:
program instructions, stored on the one or more computer readable storage media, to identify the encrypted resource which contains information regarding the parameter.
9. The computer program product of claim 6, further comprising:
program instructions, stored on the one or more computer readable storage media, to inform a user of the computing device, that the decryption information is able to decrypt the encrypted resource.
10. The computer program product of claim 6, further comprising:
program instructions, stored on the one or more computer readable storage media, to, subsequent to sending the encrypted resource to the computing device, receive a request to alter the parameter associated with the decryption information; and
program instructions, stored on the one or more computer readable storage media, to alter the parameter.
11. A computer system for protecting a resource, the computer system comprising:
one or more computer processors, one or more computer readable storage media, and program instructions stored on the computer readable storage media for execution by at least one of the one or more processors, the program instructions comprising:
program instructions to receive the resource and a parameter, wherein the parameter indicates a condition under which the resource is made accessible to an entity attempting to access the resource, and wherein the condition of the parameter is an occurrence of a real world event that is not associated with an identity of the entity attempting to access the resource;
program instructions to encrypt the resource;
program instructions to associate the parameter with decryption information for the encrypted resource, wherein the decryption information enables decryption of the encrypted resource without requiring additional information to decrypt the encrypted resource;
program instructions to send the encrypted resource to a computing device;
program instructions to detect an access attempt corresponding to the received encrypted resource, wherein the access attempt is made by the entity attempting to access the resource;
program instructions to determine, whether the access attempt meets the condition of the parameter by monitoring external information corresponding to the occurrence of the real world event and determining, by one or more processors, that the real world event has occurred based on the external information; and
program instructions to, responsive to determining that the condition of the parameter has been met, send, by one or more processors, the associated decryption information to the computing device.
12. The computer system of claim 11, further comprising:
program instructions, stored on the computer readable storage media for execution by at least one of the one or more processors, to receive an indication of the encrypted resource which contains information regarding the parameter.
13. The computer system of claim 11, further comprising:
program instructions, stored on the computer readable storage media for execution by at least one of the one or more processors, to identify the encrypted resource which contains information regarding the parameter.
14. The computer system of claim 11, further comprising:
program instructions, stored on the computer readable storage media for execution by at least one of the one or more processors, to inform a user of the computing device, that the decryption information is able to decrypt the encrypted resource.
15. The computer system of claim 11, further comprising:
program instructions, stored on the computer readable storage media for execution by at least one of the one or more processors, to, subsequent to sending the encrypted resource to the computing device, receive a request to alter the parameter associated with the decryption information; and
program instructions, stored on the computer readable storage media for execution by at least one of the one or more processors, to alter the parameter.
US14/868,801 2015-09-29 2015-09-29 Smart resource access for decrypted information Active 2035-12-23 US10623184B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/868,801 US10623184B2 (en) 2015-09-29 2015-09-29 Smart resource access for decrypted information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/868,801 US10623184B2 (en) 2015-09-29 2015-09-29 Smart resource access for decrypted information

Publications (2)

Publication Number Publication Date
US20170093574A1 US20170093574A1 (en) 2017-03-30
US10623184B2 true US10623184B2 (en) 2020-04-14

Family

ID=58409359

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/868,801 Active 2035-12-23 US10623184B2 (en) 2015-09-29 2015-09-29 Smart resource access for decrypted information

Country Status (1)

Country Link
US (1) US10623184B2 (en)

Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5109413A (en) 1986-11-05 1992-04-28 International Business Machines Corporation Manipulating rights-to-execute in connection with a software copy protection mechanism
US6351813B1 (en) 1996-02-09 2002-02-26 Digital Privacy, Inc. Access control/crypto system
US20020048369A1 (en) * 1995-02-13 2002-04-25 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US20020111946A1 (en) * 2000-09-29 2002-08-15 Jill Fallon Systems and methods for a personal, universal, integrated organizer for legacy planning and storage
US20030061511A1 (en) * 2001-09-27 2003-03-27 Todd Fischer Secure communication of information via a communication network
GB2386710A (en) 2002-03-18 2003-09-24 Hewlett Packard Co Controlling access to data or documents
US20040123104A1 (en) * 2001-03-27 2004-06-24 Xavier Boyen Distributed scalable cryptographic access contol
US20070030964A1 (en) * 2005-08-04 2007-02-08 Sony Corporation Method, apparatus, and program for processing information
US20070192114A1 (en) * 2006-01-30 2007-08-16 Parpala Davaid J Method of automated estate management
US20080005024A1 (en) 2006-05-17 2008-01-03 Carter Kirkwood Document authentication system
US20080141040A1 (en) * 2006-12-08 2008-06-12 Microsoft Corporation Secure data protection during disasters
US7392547B2 (en) 2003-06-27 2008-06-24 Microsoft Corporation Organization-based content rights management and systems, structures, and methods therefor
US7418737B2 (en) * 2001-06-13 2008-08-26 Mcafee, Inc. Encrypted data file transmission
US20090025063A1 (en) 2007-07-18 2009-01-22 Novell, Inc. Role-based access control for redacted content
US20090141902A1 (en) * 2007-12-01 2009-06-04 Electronic Data Systems Corporation Apparatus and method for securing data in computer storage
US20100138656A1 (en) 2008-11-28 2010-06-03 International Business Machines Corporation Shielding a Sensitive File
JP2010244432A (en) 2009-04-08 2010-10-28 Nippon Telegr & Teleph Corp <Ntt> File sharing system, shared file server device, file sharing method, access control method of shared file server device, and programs thereof
US20120210126A1 (en) 2011-02-10 2012-08-16 SecurenCrypt, LLC Document encryption and decryption
US20130064365A1 (en) * 2011-09-09 2013-03-14 Fujitsu Limited Data Destruction
US8458454B2 (en) 2007-08-24 2013-06-04 Mitsubishi Electric Corporation Conditional access apparatus
US20130332991A1 (en) 2006-11-08 2013-12-12 Citrix Systems, Inc. Method and system for dynamically associating access rights with a resource
US20140233740A1 (en) * 2011-09-23 2014-08-21 Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno Secure Distribution of Content
US20140281545A1 (en) * 2013-03-12 2014-09-18 Commvault Systems, Inc. Multi-layer embedded encryption
US20140344941A1 (en) * 2011-11-14 2014-11-20 St-Ericsson Sa Method for managing public and private data input at a device
US20140359291A1 (en) 2011-10-28 2014-12-04 The Digital Filing Company Pty Ltd Registry
US20150180659A1 (en) * 2013-12-23 2015-06-25 Electronics And Telecommunications Research Institute Apparatus and method for giving the compressed encryption functionality to integer-based homomorphic encryption schemes
US20170098090A1 (en) * 2014-06-24 2017-04-06 Hewlett-Packard Development Company, L.P. Composite Document Access
US20180007059A1 (en) 2014-09-30 2018-01-04 Citrix Systems, Inc. Dynamic Access Control to Network Resources Using Federated Full Domain Logon

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7549482B2 (en) * 2007-07-13 2009-06-23 Cnh America Llc Implement with two stage folding wing
US8487634B2 (en) * 2008-09-25 2013-07-16 Enmetric Systems, Inc. Smart electrical wire-devices and premises power management system
US9245176B2 (en) * 2012-08-01 2016-01-26 Disney Enterprises, Inc. Content retargeting using facial layers
TWM443502U (en) * 2012-08-03 2012-12-21 Pu Yuan Biotech Co Ltd Blood glucose meter device combined with mobile electronic device

Patent Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5109413A (en) 1986-11-05 1992-04-28 International Business Machines Corporation Manipulating rights-to-execute in connection with a software copy protection mechanism
US20020048369A1 (en) * 1995-02-13 2002-04-25 Intertrust Technologies Corp. Systems and methods for secure transaction management and electronic rights protection
US6351813B1 (en) 1996-02-09 2002-02-26 Digital Privacy, Inc. Access control/crypto system
US20020111946A1 (en) * 2000-09-29 2002-08-15 Jill Fallon Systems and methods for a personal, universal, integrated organizer for legacy planning and storage
US20040123104A1 (en) * 2001-03-27 2004-06-24 Xavier Boyen Distributed scalable cryptographic access contol
US7418737B2 (en) * 2001-06-13 2008-08-26 Mcafee, Inc. Encrypted data file transmission
US20030061511A1 (en) * 2001-09-27 2003-03-27 Todd Fischer Secure communication of information via a communication network
GB2386710A (en) 2002-03-18 2003-09-24 Hewlett Packard Co Controlling access to data or documents
US7392547B2 (en) 2003-06-27 2008-06-24 Microsoft Corporation Organization-based content rights management and systems, structures, and methods therefor
US20070030964A1 (en) * 2005-08-04 2007-02-08 Sony Corporation Method, apparatus, and program for processing information
US20070192114A1 (en) * 2006-01-30 2007-08-16 Parpala Davaid J Method of automated estate management
US20080005024A1 (en) 2006-05-17 2008-01-03 Carter Kirkwood Document authentication system
US20130332991A1 (en) 2006-11-08 2013-12-12 Citrix Systems, Inc. Method and system for dynamically associating access rights with a resource
US20080141040A1 (en) * 2006-12-08 2008-06-12 Microsoft Corporation Secure data protection during disasters
US20090025063A1 (en) 2007-07-18 2009-01-22 Novell, Inc. Role-based access control for redacted content
US8458454B2 (en) 2007-08-24 2013-06-04 Mitsubishi Electric Corporation Conditional access apparatus
US20090141902A1 (en) * 2007-12-01 2009-06-04 Electronic Data Systems Corporation Apparatus and method for securing data in computer storage
US20100138656A1 (en) 2008-11-28 2010-06-03 International Business Machines Corporation Shielding a Sensitive File
JP2010244432A (en) 2009-04-08 2010-10-28 Nippon Telegr & Teleph Corp <Ntt> File sharing system, shared file server device, file sharing method, access control method of shared file server device, and programs thereof
US20120210126A1 (en) 2011-02-10 2012-08-16 SecurenCrypt, LLC Document encryption and decryption
US20130064365A1 (en) * 2011-09-09 2013-03-14 Fujitsu Limited Data Destruction
US20140233740A1 (en) * 2011-09-23 2014-08-21 Nederlandse Organisatie Voor Toegepast-Natuurwetenschappelijk Onderzoek Tno Secure Distribution of Content
US20140359291A1 (en) 2011-10-28 2014-12-04 The Digital Filing Company Pty Ltd Registry
US20140344941A1 (en) * 2011-11-14 2014-11-20 St-Ericsson Sa Method for managing public and private data input at a device
US20140281545A1 (en) * 2013-03-12 2014-09-18 Commvault Systems, Inc. Multi-layer embedded encryption
US20150180659A1 (en) * 2013-12-23 2015-06-25 Electronics And Telecommunications Research Institute Apparatus and method for giving the compressed encryption functionality to integer-based homomorphic encryption schemes
US20170098090A1 (en) * 2014-06-24 2017-04-06 Hewlett-Packard Development Company, L.P. Composite Document Access
US20180007059A1 (en) 2014-09-30 2018-01-04 Citrix Systems, Inc. Dynamic Access Control to Network Resources Using Federated Full Domain Logon

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"A Lightweight and Safe File Protection System"; IP.com Prior Art Database Technical Disclosure; IP.com No. 000236659; Electronic Publication: May 8, 2014; pp. 1-4.
"FileOpen Document Protection Software Try it Free for 14 Days."; FileOpen Systems; Printed on: Jun. 22, 2015; pp. 1-2; <http://www.fileopen.com/document-protection-trial>.
"Pinion Software Announces New ShareSafe(TM) File Security Solutions"; Business Wire; May 1, 2007; Printed on: Jun. 22, 2015; pp. 1-2; <http://www.businesswire.com/news/home/20070501005717/en/Pinion-Software-Announces-ShareSafe-TM-File-Security#.VYg7rUZyKSd>.
IBM; "Time restrictions on files."; IP.com Prior Art Database Technical Disclosure; IP.com No. 000016246; Electronic Publication: Jun. 21, 2003; Original Publication Date: Oct. 5, 2002; pp. 1-3.

Also Published As

Publication number Publication date
US20170093574A1 (en) 2017-03-30

Similar Documents

Publication Publication Date Title
US11973860B1 (en) Systems and methods for encryption and provision of information security using platform services
USRE49904E1 (en) Systems and methods for cloud data security
US9619659B1 (en) Systems and methods for providing information security using context-based keys
Hon et al. The problem of ‘personal data’in cloud computing: what information is regulated?—the cloud of unknowing
US9373001B2 (en) Distributed encryption and access control scheme in a cloud environment
JP6622196B2 (en) Virtual service provider zone
US9202076B1 (en) Systems and methods for sharing data stored on secure third-party storage platforms
CA3027741A1 (en) Blockchain systems and methods for user authentication
US20140281520A1 (en) Secure cloud data sharing
Secara Zoombombing–the end-to-end fallacy
US20200145389A1 (en) Controlling Access to Data
CN115004639B (en) Encryption of message queues
Murray et al. Cloud service security & application vulnerability
Opderbeck Encryption Policy and Law Enforcement in the Cloud
US10623184B2 (en) Smart resource access for decrypted information
US20220309181A1 (en) Unstructured data access control
US20210288798A1 (en) Jigsaw key encryption/decryption
EP3557469B1 (en) System, method and computer program for secure data exchange
Agarkhed et al. Data De-duplication Scheme for File Checksum in Cloud
Chowdhury Towards Human-Centric Endpoint Security (Transcript of Discussion)
Beley et al. A Management of Keys of Data Sheet in Data Warehouse
Ruiz et al. Security Issue on Cloned TrueCrypt Containers and Backup Headers
Thumar et al. A Framework for Secure Data Storage in Mobile Cloud Computing
Adeppa Security analysis in cloud computing environment
Engwall Exploring information security and shared encrypted spaces in libraries

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:D'ELENA, DANIEL F.;MARTINEZ, ANTHONY E.;MICHELINI, VANESSA V.;AND OTHERS;SIGNING DATES FROM 20150922 TO 20150923;REEL/FRAME:036680/0426

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:D'ELENA, DANIEL F.;MARTINEZ, ANTHONY E.;MICHELINI, VANESSA V.;AND OTHERS;SIGNING DATES FROM 20150922 TO 20150923;REEL/FRAME:036680/0426

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4